mcp: client registration/token fixes (#5649)

## Summary

Fixes to MCP code registration and token requests. 

1. ease some requirements on fields that are RECOMMENDED 
2. fill in defaults
3. store both request and response in the client registration
4. check client secret in the /token request

## Related issues

- Fixes
https://linear.app/pomerium/issue/ENG-2462/mcp-ignore-unknown-grant-types-in-the-client-registration
- Fixes
https://linear.app/pomerium/issue/ENG-2461/mcp-support-client-secret-in-dynamic-client-registration
 
## User Explanation

<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review

internal/oauth21/validate_client.go

@@ -1,6 +1,7 @@
 package oauth21
 
 import (
+	"fmt"
 	"slices"
 
 	"github.com/pomerium/pomerium/internal/oauth21/gen"
@@ -8,17 +9,45 @@ import (
 )
 
 func ValidateAuthorizationRequest(
-	client *rfc7591v1.ClientMetadata,
+	client *rfc7591v1.Metadata,
 	req *gen.AuthorizationRequest,
 ) error {
 	if err := ValidateAuthorizationRequestRedirectURI(client, req.RedirectUri); err != nil {
 		return err
 	}
+	if err := ValidateAuthorizationRequestCodeChallenge(client, req); err != nil {
+		return err
+	}
+	return nil
+}
+
+func ValidateAuthorizationRequestCodeChallenge(
+	client *rfc7591v1.Metadata,
+	req *gen.AuthorizationRequest,
+) error {
+	m := client.GetTokenEndpointAuthMethod()
+	switch m {
+	case rfc7591v1.TokenEndpointAuthMethodNone:
+		if req.GetCodeChallenge() == "" {
+			return Error{
+				Code:        InvalidRequest,
+				Description: "code challenge are required when token endpoint auth method is 'none'",
+			}
+		}
+	case rfc7591v1.TokenEndpointAuthMethodClientSecretBasic,
+		rfc7591v1.TokenEndpointAuthMethodClientSecretPost:
+		// code challenge is recommended but not required for these methods
+	default:
+		return Error{
+			Code:        InvalidRequest,
+			Description: fmt.Sprintf("unsupported token endpoint auth method: %s", m),
+		}
+	}
 	return nil
 }
 
 func ValidateAuthorizationRequestRedirectURI(
-	client *rfc7591v1.ClientMetadata,
+	client *rfc7591v1.Metadata,
 	redirectURI *string,
 ) error {
 	if len(client.RedirectUris) == 0 {